OpenID Connect

[Thatoo]

Extract from matrix.org blog :

Finally, last but not least, we’re proud to announce that the project to replace Matrix’s venerable existing authentication APIs with industry-standard Open ID Connect in Matrix 2.0 has taken a huge leap forwards today, with matrix-authentication-service now being available to add Native OIDC support to Synapse, as well as Element X now implementing account registration, login and management via Native OIDC (with legacy support only for login/logout).

This is a critical step forwards in improving the security and maintainability for Matrix’s authentication, and you can read all about it in this dedicated post, explaining the rationale for adopting OpenID Connect for all forms of authentication throughout Matrix, and what you need to know about the transition.

Will it work with yunohost sso and ldap functionality?

[aibosss]

+1

[Thatoo]

Maybe an easy way would be to install automatically https://github.com/YunoHost-Apps/dex_ynh along synapse to use Yunohost LDAP through OIDC in synapse?

[Josue-T]

Well after some investigation dex or something else will be needed to link user with LDAP but it will be not enough as we also will need to manage user which was authenticated without yunohost (and is not in LDAP). For this we will need the matrix-authentication-service.

But I really think installing dex+matrix-authentication-service+sliding_proxy all on the same yunohost package make it a bit heavy.
For me ideally the yunohost SSO "should" provide a solution to connect the matrix-authentication-service (OAuth 2.0/OIDC) as it's not the only app which need this. Many app probably already need this and in long term more and more app will need this.

There are already many discussion about this here: https://github.com/YunoHost/issues/issues?q=is%3Aissue+openid

[Thatoo]

I agree with you about integrating openid to Yunohost's sso system.

For what I understood, sliding sync proxy will be merged into synapse package at some point. In the mean time, it is possible to add it separately but I wonder if we have the ressources to focus on this temporary work just to benefit a faster app for thoose who are using Element X app before synapse integrate it.

I think that working on integrating openid in SSO is a much more important long run investment.

[Josue-T]

For me it's not urgent to add sliding proxy support until elementX is merged into element. It's nice to have it but it's not mandatory.

On the openid side for me idealy we should migrate the authentication system on the same time than sliding proxy as it's all liked to the new matrix spec. But yes on other side on yunohost side there are some work to integrate oidc. Maybe it could be integrated into the work of the new yunohost portail.

Anyway for me all of this (sliding proxy and oidc) are big project which will take time to integrate. Synapse package a used by many people so we can't release unstable things. We had many regression since some last PR and we really should avoid this.

[Thatoo]

[info] Element has now a native oidc support : https://github.com/element-hq/element-web/releases/tag/v1.11.59-rc.0
I guess that all plateforme (desktop and smartphone) have at least one version working with oidc now (not yet the case for sliding-sync though).

[Josue-T]

The main issue about this is that yunohost don't support natively oidc cf YunoHost/issues#676

[Thatoo]

Does MAS change anything or the issue remain the same, "yunohost don't support natively oidc" ?

[Josue-T]

MAS require a OIDC server to migrate to the "new" standard of matrix with a MAS server.

To me we have theses 2 possibilities:

• Fork MAS and add LDAP and auth HEADER support (it will probably be a quite big work and we will need to maintain in long term which is not great, I use to do it with element to have the SSO and it wasn't good, so if we can avoid to have again this issue it's great).
• Implement OIDC in Yunohost cf Use YunoHost as an identity provider? YunoHost/issues#676. I also agree that It will be also a big work but this will probably be useful for many apps as it's a standard implemented on many apps.

[Thatoo]

I guess the second option would be better.
I wonder if in the meantime (waiting for Yunohost to become an OIDC provider), admins could have the choice between keeping using ldap only (as it is, no MAS) or using MAS with dex, for this they should install dex and then fill some fields in synapse config panel in the admin web GUI.

[Josue-T]

Well I'm not convinced by the idea to use dex, because if we will end with 2 different configuration to maintains and this for a undefined time. But yes it's a possibility to use dex even if don't really like this idea. I would really prefer to have correct implementation, as one day we more and more client will needed it and it don't make sense to say: by default it's not supported to need install an other app and than configure synapse to use it.